A previously undocumented Linux malware strain, dubbed Auto-Color, has been actively targeting universities and government organizations across North America and Asia between November and December 2024, according to cybersecurity researchers at Palo Alto Networks Unit 42.
Auto-Color: A Stealthy Linux Threat
Security researcher Alex Armstrong revealed in a technical analysis that once Auto-Color infects a system, it provides threat actors with full remote access, making it extremely difficult to remove without advanced cybersecurity tools.
Named after the file it renames itself to post-installation, Auto-Color’s exact initial infection vector remains unclear. However, researchers note that the malware requires explicit execution by a victim on a Linux machine.
Sophisticated Evasion Techniques
Auto-Color employs multiple stealth techniques to evade detection and maintain persistence:
- Disguised File Names – Uses innocuous names like door or egg to blend into system directories.
- Encrypted Communications – Leverages proprietary encryption algorithms to conceal command-and-control (C2) traffic and configuration data.
- Persistence Mechanisms – Installs a malicious library implant (
libcext.so.2), copies itself to/var/log/cross/auto-color, and modifies/etc/ld.preloadto maintain long-term control over infected machines.
Root Privileges and Advanced Hiding Techniques
For full execution, Auto-Color requires root privileges. If the infected user lacks administrator access, the malware limits its operations but still attempts to perform malicious actions.
A key component of Auto-Color is its library implant, which manipulates libc functions to intercept system calls like open(). This tactic allows it to modify /proc/net/tcp, a critical file that logs active network connections, effectively hiding C2 traffic from security tools.
This stealth mechanism is similar to Symbiote, another sophisticated Linux malware designed to operate undetected within compromised systems.
Full Remote Control Over Infected Machines
Once Auto-Color successfully establishes a connection to its C2 server, it grants attackers the ability to:
✅ Deploy a reverse shell for remote access.
✅ Exfiltrate system data and modify files.
✅ Execute arbitrary programs on the infected machine.
✅ Use the compromised system as a proxy for communication between remote IPs.
✅ Activate a self-destruct feature to remove traces of infection.
To further complicate removal, Auto-Color protects /etc/ld.preload, preventing modifications or deletions that could disrupt its persistence mechanisms.
Encrypted C2 Communication & Command Execution
According to Armstrong, Auto-Color is designed to receive remote instructions from its command server, which can create persistent backdoors on infected machines. The attackers compile and encrypt each C2 server’s IP separately, using a proprietary encryption algorithm to prevent detection and tracking.
Conclusion: A Growing Threat to Linux Security
Auto-Color represents a serious cybersecurity risk, particularly for high-value targets like government agencies and research institutions. Its stealth capabilities, encrypted communications, and persistence mechanisms make it a formidable Linux-based malware that requires specialized threat detection solutions to mitigate.
🔍 Stay ahead of emerging threats! Organizations should implement advanced endpoint security, monitor network traffic for anomalies, and restrict unverified software execution to defend against evolving Linux malware like Auto-Color.